British Columbia

Privacy watchdog calls for mandatory data breach reporting

Private businesses should be forced to report privacy security breaches, says B.C. Information and Privacy Commissioner Elizabeth Denham.

Privacy breaches reaching "epidemic" proportion in B.C., says commissioner

B.C. Privacy and Information Commissioner Elizabeth Denham says laptops and mobile phones often contain sensitive information. (iStock)

Private businesses should be forced to report privacy security breaches, says B.C. Information and Privacy Commissioner Elizabeth Denham.

In an interview with CBC News, Denman said the province needs to amend its Personal Information Protection Act. Her office has been calling for the change since 2008, but she fears B.C. will be left behind other jurisdictions if the government waits much longer.

"I  would like to get a commitment from government — but I know that they are looking at it," she said.

"I think it should be in law. I think the impact of that will be that individuals will know when there's been a significant breach affecting them, and secondly there will be more investment in the security of personal information if there's a mandatory requirement in law."

Denham says the breaching of private information is reaching "epidemic" proportion in B.C.

Her office investigated 500 cases of privacy breaches last year in both the private and public sector. While public bodies are required by legislation to report data breaches to the government's Chief Information Officer, no similar rules apply to private organizations.

'Personal information is a commodity'

Denham says her organization often only learns about those incidents through media reports.

"Unfortunately I think we only hear about — on a voluntary basis — a limited number of breaches," she said. "Who knows because there's no requirement to report, but I believe we're not hearing about a large percentage of breaches."

Denham says one of the most significant challenges to privacy is the rise in popularity of mobile devices.

"We're using flash drives, we have laptop computers that contain a lot of sensitive personal information. Unfortunately, it's not always encrypted. Many times that data is carried on a mobile device for no reason whatsoever," she said.

"And on top of that, personal information is a commodity. Thieves are looking for this information. There's a market for personal information, especially financial information."

UVic rapped for privacy breach

In one of the most significant cases in years, Denham's office criticized the University of Victoria last month for failing to protect personal information in what she called a "foreseeable and preventable" breach.

The university lost names, social insurance numbers and banking information of 12,000 former and current University of Victoria employees on a stolen USB flash drive. The information was unencrypted.

At present, only Alberta requires private organizations to report privacy breaches.

Parliament is currently considering Bill C-12, an act that would amend the Federal Personal Information Protection and Electronic Documents Act to force organizations to notify the federal privacy commissioner of "material" breaches of security surrounding their personal information.

Denham says a requirement exists for B.C.'s legislation to be substantially similar to the federal law.

"The challenge is that B.C. is going to fall behind the other jurisdictions," she said. "If Bill C-12 is passed and a mandatory regime is in place federally then there will be even more reason for B.C. to follow suit."

Recent court cases

A series of recent court cases suggest Canadians aren't waiting for privacy commissioners to hold organizations accountable for security breaches.

Last month, a Quebec judge ruled on a class action suit against DaimlerChrysler for the loss of a data tape containing information on 240,000 customers.

A Quebec woman claimed damages for "anxiety, inconvenience, pain, suffering and/or fear" due to loss of personal information. The judge refused to certify the class action because the woman, who wasn't actually a victim of fraud, couldn't establish "compensable" damages.

In the ruling, the judge referred to another class action, certified against the National Bank.

In that case, three computers were stolen, one of which contained personal information on 225,000 clients. The petitioner was the victim of three attempts to defraud him.

In other cases, staff at an Ontario jail reached a settlement for $1,000 each after an employee list with home contact information was left in an open, unsecured hallway in the jail.

Last year, a judge also certified a class action against Durham Region Health.

In that case, a nurse lost a USB thumb drive containing personal and confidential health information of over 83,500 patients. The thumb drive contained unencrypted private patient information relating to H1N1 flu vaccinations received during the period of October 23 to December 15, 2009.